Security Policy Development

You are here

Do you have published IT Security Policies and Procedures? If not, you need them!

All businesses should have written IT Policies and Procedures, and many are required by statute to maintain and report on them to governing organizations.

For example, in 2016 New York State enacted new Cybersecurity Regulations known as 23 NYCRR 500, which requires ANY organization that deals with Insurance, Banking, or Financial Services Laws, even peripherally, to do several things, and file compliance documents with the State.

Regulations aside, all businesses should have published, comprehensive policies and procedures for Information Technology.

We'll Develop and Publish Your Custom IT Policies Document:

  • Meetings with key personnel
  • Discuss regulatory responsibilities and requirements
  • Develop baseline document inclusions
  • HR policies and procedures coordination
  • Employee education and training needs
  • Outside vendors expectations

Ongoing Risk Assessment Services Available:

  • Penetration Testing
  • Website Intrusion Testing
  • Social Engineering Testing

Key Policy Components

According to NIST* a complete IT Policy and Procedures Document will contain the following topics:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity
*National Institute of Standards and Technology, U.S. Department of Commerce

Your Policies & Procedures Document will include over 100 pages of:

General Network Security Server Security Application Security
  • Acceptable Encryption Policy
  • Acceptable Use Policy
  • Clean Desk Policy
  • User Awareness Training Policy
  • Data Destruction Policy
  • Data Breach Response Policy
  • Disaster Recovery Plan Policy
  • Digital Signature Acceptance Policy
  • Email Policy
  • Ethics Policy
  • Pandemic Response Planning Policy
  • Password Construction Guidelines
  • Password Protection Policy
  • Security Response Plan Policy
  • End User Encryption Key Protection Policy
  • Acquisition Assessment Policy
  • Bluetooth Baseline Requirements Policy
  • Remote Access Policy
  • Remote Access Tools Policy
  • Router and Switch Security Policy
  • Wireless Communication Policy
  • Wireless Communication Standard
  • Database Credentials Policy
  • Technology Equipment Disposal Policy
  • Information Logging Standard
  • Lab Security Policy
  • Server Security Policy
  • Software Installation Policy
  • Workstation Security (For HIPAA) Policy

Web Application Security Policy

Is it a Policy, a Standard, or a Guideline?


What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. According to the SANS Institute:

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 10 workstation for placement on the network. People must follow this standard exactly if they wish to install a Windows 10.1 workstation on an external network segment. In addition, a standard can be a technology selection, e.g. Company Name uses XYZ AntiVirus for all systems, and supporting policies and procedures define how it is used.

A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

Refer A

The Managed Services Team Referral Program, click here


Founded in 1989 by enterprise technical experts, Managed Services Team quickly grew to become the regional leader in IT support for businesses in Western New York. In 2003 we introduced the concept of fixed-fee pricing, a.k.a. Managed Services, and eliminated forever the mystery of IT support costs.

Today we service clients across every industry, providing IT Support, Web Development and Hosting, and Contemporary VOIP communications systems. Call today for a fresh look at your technology.




  • Address:  72 Cascade Drive
    Rochester, NY 14614
  • Phone: 585 423 9810
  • Mail: